Managing forwarding elements at edge nodes connected to a virtual network

ABSTRACT

Some embodiments provide a method for maintaining a virtual network that spans at least one cloud datacenter separate from multi-machine edge nodes of an entity. This method configures a gateway in the cloud datacenter to establish secure connections with several edge devices at several multi-machine edge nodes (e.g., branch offices, datacenters, etc.) in order to establish the virtual network. The method configures the gateway to assess quality of connection links with different edge devices, and to terminate a secure connection with a particular edge device for a duration of time after the assessed quality of the connection link to the particular edge device is worse than a threshold value. In some embodiments, the gateway is configured to distribute routes to edge devices at the edge nodes, and to forgo distributing any route to the particular edge device along the connection link for the duration of time when the assessed quality of the connection link is worse than (e.g., less than) a threshold value. In different embodiments, the gateway assesses the quality of the connection link based on different factors or different combinations of factors. Examples of such factors in some embodiments include the following attributes of a connection link: packet loss, latency, signal jitter, etc. Also, the routes that the gateway distributes in some embodiments include routes that the edge devices distribute to the gateway, as well as routes that the gateway learns on its own.

RELATED APPLICATIONS

Benefit is claimed under 35 U.S.C. 119(a)-(d) to Foreign Application Serial No. 201941043654 filed in India entitled “MANAGING FORWARDING ELEMENTS AT EDGE NODES CONNECTED TO A VIRTUAL NETWORK”, on Oct. 28, 2019, by VMWARE, INC., which is herein incorporated in its entirety by reference for all purposes.

In recent years, several companies have brought to market solutions for deploying software-defined (SD) wide-area networks (WANs) for enterprises. Some such SD-WAN solutions use external third-party private or public cloud datacenters (clouds) to define different virtual WANs for different enterprises. These solutions typically have edge forwarding elements (called edge devices) at edge nodes of an enterprise that connect with one or more gateway forwarding elements (called gateway devices or gateways) that are deployed in the third-party clouds.

In such a deployment, an edge device connects through one or more secure connections with a gateway, with these connections traversing one or more network links that connect the edge device with an external network. Examples of such network links include MPLS links, 5G LTE links, commercial broadband Internet links (e.g., cable modem links or fiber optic links), etc. The edge nodes include branch offices (called branches) of the enterprise, and these offices are often spread across geographies with network links to the gateways of various different network connectivity types. These network links often exhibit varying network path characteristics with respect to packet loss, latency, jitter, etc. Such multi-site connectivity in SD-WAN implementation needs to be reliable and resilient.

BRIEF SUMMARY

Some embodiments of the invention provide a method for maintaining a virtual network that spans at least one cloud datacenter separate from multi-machine edge nodes of an entity. This method configures a gateway in the cloud datacenter to establish secure connections with several edge devices at several multi-machine edge nodes (e.g., branch offices, datacenters, etc.) in order to establish the virtual network. The method configures the gateway to assess the quality of the connection links with different edge devices, and to terminate a secure connection with a particular edge device for a duration of time after the assessed quality of the connection link to the particular edge device is worse than a threshold value.

In some embodiments, the gateway is configured to distribute routes to edge devices at the edge nodes, and to forgo distributing any route to the particular edge device along the connection link for the duration of time when the assessed quality of the connection link is worse than (e.g., less than) a threshold value. In different embodiments, the gateway assesses the quality of the connection link based on different factors or different combination of factors. Examples of such factors, in some embodiments, include the following attributes of a connection link: packet loss, latency, signal jitter, etc. Also, the routes that the gateway distributes in some embodiments include routes that the edge devices distribute to the gateway, as well as routes that the gateway learns on its own.

In some embodiments, the particular edge device has connections with first and second gateways in first and second cloud datacenters. After the quality of the network link that connects the particular edge device to the first gateway degrades, the particular edge device does not receive routes from the first gateway. In some embodiments, this is achieved by the first gateway terminating the secure connection with the particular edge device and not establishing a new connection for a duration of time. However, during this period, the particular edge device can continue to receive routes from the second gateway in the second cloud datacenter, as the secure connection between the particular edge device and the second gateway uses a network link that is good.

In some embodiments, the particular edge device connects to several external networks through several network links comprising first and second network links. In some embodiments, examples of such external network links include a commercial broadband Internet link, a wireless telecommunication link, and an MPLS link. When the particular edge device connects to the first gateway through first and second network connection links, with the first connection link having an assessed quality that is worse than a threshold value while the second connection link has a quality that is better than the threshold value, the first gateway can continue to distribute routes to the particular edge device through the second connection link.

To reject connection requests from the particular edge device for the duration of time, the gateway adds the particular edge device to a blacklist that includes the edge device to which the gateway should not accept secure connection requests. In some embodiments, each edge device on the blacklist is identified in terms of a network address that is associated with a network link that is connected to the edge devices. The gateway device removes the particular edge device from the blacklist after the duration of time

In some embodiments, the gateway detects an anomaly in routes that are maintained at a particular edge device, and directs the particular edge device to perform a route reset operation to re-identify routes across the virtual network. The gateway detects the anomaly in some embodiments by detecting a drop in a number of routes maintained at the particular edge device that is larger than a threshold value. In some embodiments, the gateway stores an old list of routes that are maintained at the particular edge node. It then identifies a new list of routes that are maintained at the particular edge node, and compares these two lists to identify routes in the old list that are not in the new list. When more than the threshold value of routes is missing from the new list, the gateway specifies that an anomaly has been detected. In some embodiments, the gateway obtains the new list of routes from the particular edge node. Also, in some embodiments, the gateway stores the new list as the old list when changes to the new list do not exceed a threshold value.

The particular edge node, in some embodiments, is configured to exchange routes with another edge node. In some such embodiments, the detected anomaly can be caused by race conditions that incorrectly cause the particular edge node to filter out a subset of the routes when synchronizing routes with the other edge node. These two edge nodes are configured, in some embodiments, to establish a tunnel through which the two edge nodes forward data messages and forward the routes used to forward data messages to each other and to one or more gateways and/or other edge devices. In some embodiments, these two edge nodes are configured in a hub/spoke topology.

When the particular edge device performs the route reset operation, the particular edge device in some embodiments directs at least one other edge to synchronize the set of routes maintained by the other edge with the particular edge device. Conjunctively, or alternatively, the particular edge device in some embodiments performs the route reset operation by directing the anomaly-detecting gateway or another gateway to synchronize the set of routes maintained by the gateway with the particular edge device. In some embodiments, these routes are routes identified by one or more other edge devices and/or one or more gateways.

The preceding Summary is intended to serve as a brief introduction to some embodiments of the invention. It is not meant to be an introduction or overview of all inventive subject matter disclosed in this document. The Detailed Description that follows and the Drawings that are referred to in the Detailed Description will further describe the embodiments described in the Summary as well as other embodiments. Accordingly, to understand all the embodiments described by this document, a full review of the Summary, the Detailed Description, the Drawings, and the Claims is needed. Moreover, the claimed subject matters are not to be limited by the illustrative details in the Summary, the Detailed Description, and the Drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

The novel features of the invention are set forth in the appended claims. However, for purposes of explanation, several embodiments of the invention are set forth in the following figures.

FIG. 1 illustrates an example of a virtual network that is created for a particular entity by two gateways that are deployed in two different public cloud datacenters of two different public cloud providers.

FIG. 2 presents an example that illustrates the gateway terminating its secure connection with the edge forwarding element when it assesses that the quality of the network connection with this forwarding element has deteriorated by more than an acceptable amount.

FIG. 3 presents an example that illustrates an edge forwarding element with a poor network connection to one gateway connecting to the virtual network through another gateway.

FIG. 4 presents an example that illustrates that, after a gateway terminates a connection link with the edge forwarding element for a duration of time, this forwarding element can connect to the virtual network through another connection link with the same gateway.

FIG. 5 illustrates a process that a gateway periodically performs in some embodiments to maintain its sets of whitelisted connection endpoints and blacklisted connection endpoints.

FIG. 6 illustrates examples of a blacklist and a whitelist of a gateway.

FIG. 7 illustrates a process that a gateway performs in some embodiments to establish a secure connection with an edge endpoint of an edge node's forwarding element.

FIG. 8 illustrates a process that a gateway performs to distribute a route to edge forwarding elements.

FIGS. 9-12 illustrate an example of the gateway directing an edge forwarding element to rebuild its route data for a virtual network after detecting an anomaly in the routes maintained by the forwarding element.

FIG. 13 illustrates a process performed by a gateway to detect an anomaly in the set of routes that is maintained by an edge forwarding element that has an active connection session with the gateway.

FIG. 14 conceptually illustrates a computer system with which some embodiments of the invention are implemented.

DETAILED DESCRIPTION

In the following detailed description of the invention, numerous details, examples, and embodiments of the invention are set forth and described. However, it will be clear and apparent to one skilled in the art that the invention is not limited to the embodiments set forth and that the invention may be practiced without some of the specific details and examples discussed.

Some embodiments of the invention provide a method for maintaining a virtual network that spans at least one cloud datacenter separate from multi-machine edge nodes of an entity. In some embodiments, this method is implemented by a gateway in the cloud datacenter. This gateway is configured to establish secure connections with several edge devices at several multi-machine edge nodes (e.g., branch offices, datacenters, etc.) in order to establish the virtual network. According to this method, the gateway assesses the quality of connection links with different edge devices, and terminates a secure connection with a particular edge device for a duration of time when the assessed quality of the connection link to the particular edge device is worse than a threshold value.

In some embodiments, the gateway is configured to distribute routes to edge devices at the edge nodes, and to forgo distributing any route to the particular edge device along the connection link for the duration of time when the assessed quality of the connection link is worse than (e.g., less than) a threshold value. In different embodiments, the gateway assesses the quality of the connection link based on different factors or different combination of factors. Examples of such factors in some embodiments include the following attributes of a connection link: packet loss, latency, signal jitter, etc. Also, the routes that the gateway distributes in some embodiments include routes that the edge devices distribute to the gateway, as well as routes that the gateway learns on its own.

As used in this document, data messages refer to a collection of bits in a particular format sent across a network. One of ordinary skill in the art will recognize that the term data message may be used herein to refer to various formatted collections of bits that may be sent across a network, such as Ethernet frames, IP packets, TCP segments, UDP datagrams, etc. Also, as used in this document, references to L2, L3, L4, and L7 layers (or layer 2, layer 3, layer 4, layer 7) are references, respectively, to the second data link layer, the third network layer, the fourth transport layer, and the seventh application layer of the OSI (Open System Interconnection) layer model.

FIG. 1 illustrates an example of a virtual network 100 that is created for a particular entity by two gateways 105 and 107 that are deployed in two different public cloud datacenters 110 and 112 of two different public cloud providers. Examples of public cloud providers include Amazon Web Services (AWS), Google Cloud Platform (GCP), Microsoft Azure, etc., while examples of entities include a company (e.g., corporation, partnership, etc.), an organization (e.g., a school, a non-profit, a government entity, etc.), etc. In FIG. 1 , the gateways are multi-tenant forwarding elements that can be used to establish secure connection links (e.g., tunnels) with edge forwarding elements at the particular entity's multi-machine sites, such as branch offices, datacenters, etc. These multi-machine sites are often at different physical locations (e.g., different buildings, different cities, different states, etc.) and are referred to below as multi-machine edge nodes.

Five such edge nodes 120-128 are illustrated in FIG. 1 . Each of these edge nodes is shown to include at least one edge forwarding element 130-138 that exchanges data messages with one or more gateways through one or more secure connection links between the edge forwarding element and the gateway(s). As shown by edge node 124 and gateway 105, multiple secure connection links (e.g., multiple secure tunnels) can be established between one edge node and a gateway. When multiple such links are defined between an edge node and a gateway, each secure connection link in some embodiments is associated with a different physical network link between the edge node and an external network. For instance, to access external networks, an edge node in some embodiments has one or more commercial broadband Internet links (e.g., a cable modem, a fiber optic link) to access the Internet, an MPLS (multiprotocol label switching) link to access external networks through an MPLS provider's network, a wireless cellular link (e.g., a 5G LTE network), as further described below by reference to FIG. 4 .

In FIG. 1 , each gateway is used to connect two edge nodes through at least two secure connection links between the gateway and the two edge forwarding elements at the two edge nodes. In some embodiments, each secure connection link is formed as a VPN (virtual private network) tunnel between the gateway and an edge forwarding element. The collection of the edge forwarding elements, gateways, and the secure connections between the edge forwarding elements and the gateways forms the virtual network 100 for the particular entity that spans the two public cloud datacenters 110 and 112 to connect the edge nodes 120-128.

In some embodiments, secure connection links are defined between gateways to allow paths through the virtual network to traverse from one public cloud datacenter to another, while no such links are defined in other embodiments. Also, as the gateways 105 and 107 are multi-tenant gateways, they are used in some embodiments to define other virtual networks for other entities (e.g., other companies, organizations, etc.). Some such embodiments use tenant identifiers to create tunnels between a gateway and edge forwarding elements of a particular entity, and then use tunnel identifiers of the created tunnels to allow the gateway to differentiate data message flows that it receives from edge forwarding elements of one entity from data message flows that it receives along other tunnels of other entities. In other embodiments, the gateways are single tenant and are specifically deployed to be used by just one entity.

FIG. 1 illustrates a cluster of controllers 140 in the public cloud datacenter 110. This controller cluster 140 serves as a central point for managing (e.g., defining and modifying) configuration data that is provided to the edge nodes and/or gateways to configure some or all of the operations. In some embodiments, the controller cluster 140 has a set of manager servers that define and modify the configuration data, and a set of controller servers that distribute the configuration data to the edge forwarding elements and/or gateways. In some embodiments, the controller cluster 140 directs edge forwarding elements to use certain gateways (i.e., assigns gateway to the edge forwarding elements).

Although FIG. 1 illustrates the controller cluster 140 residing in one public cloud datacenter 110, the controllers in some embodiments reside in multiple different public cloud datacenters and/or in a private cloud datacenter. Also, some embodiments deploy one or more gateways in one or more private cloud datacenters, e.g., datacenters of the entity that deploys the gateways and provides the controllers for configuring the gateways to implement virtual networks.

FIG. 2 presents an example that illustrates the gateway 105 terminating its secure connection with the edge forwarding element 130 when it assesses that the quality of the network connection with this forwarding element has deteriorated by more than an acceptable amount. As further described below, each gateway iteratively performs a set of measurement operations that assess the quality of the network link used by an edge forwarding element to establish a secure connection link with the gateway. In some embodiments, these measurements quantify a number of factors (such as connectivity speed, packet loss, signal jitter, etc.) from which the gateway generates a score that quantifies the quality of a network connection.

FIG. 2 presents its example in two stages. In a first stage 202, the gateway 105 is shown to have a secure connection 205 with the edge forwarding element 130. Through this secure connection, the edge forwarding element 130 connects its edge node 120 to the virtual network 100 established by the gateways 105 and 107, the edge forwarding elements 130-138, and their secure connections.

In the second stage 204, the gateway 105 detects an unacceptable deterioration of service in the network connection that the edge forwarding element 130 uses for the secure connection 205. Hence, as shown, the gateway 105 terminates this connection link and rejects subsequent requests from the edge forwarding element 130 for a duration of time. The gateway takes these actions in order to prevent an edge forwarding element with a weak network connection from adversely affecting the performance of the virtual network.

For instance, in some embodiments, the gateways operate as route reflectors that obtain routes (i.e., definitions of routes) through the virtual network from other gateways and/or edge forwarding elements, and distribute these routes to other edge forwarding elements. In some embodiments, the gateways also distribute routes that they learn on their own. Distribution of routes, however, can become problematic when one edge node has a poor network connection with the gateway that distributes the routes. For instance, because of a poor connection, a gateway might have to iteratively try to transmit a new set of routes to the edge node with the poor network connection, only to fail iteratively. Such iterative operations, in turn, can adversely affect other operations of the gateway (e.g., data message processing delay or data message loss).

Hence, after detecting that the quality of the connection link with the edge forwarding element 130 has degraded below an acceptable amount, the gateway 105 terminates the secure connection link 205 with this forwarding element, and places this forwarding element on its blacklist for a duration of time so that it rejects all attempts by this forwarding element to establish the secure connection link 205 again. With this connection link down, the gateway forgoes forwarding routes to the edge forwarding element 130 for a duration of time.

After a gateway terminates a connection link with a particular edge forwarding element for a duration of time, that forwarding element and its corresponding multi-machine edge node can connect to the virtual network through another connection link with the same gateway or a connection link with another gateway, so long as these other connection links do not suffer from poor network connectivity (i.e., so long as the physical network link for these other connections still meets acceptable performance metrics). FIG. 3 presents an example that illustrates an edge forwarding element with a poor network connection to one gateway connecting to the virtual network 100 through another gateway. Again, this example is illustrated in two stages 302 and 304.

The first stage 302 shows the edge forwarding element 132 connecting to the virtual network 100 through two secure connection links 305 and 310 to the gateways 105 and 107. The second stage 304 then shows the gateway 105 detecting an unacceptable deterioration of service in the network connection that the edge forwarding element 132 uses for the secure connection 305, terminating this connection link and rejecting subsequent requests from the edge forwarding element 132 for a duration of time. Again, the gateway 105 takes these actions in order to prevent the edge forwarding element 132 with a weak network connection from adversely affecting the performance of the virtual network 100.

The second stage 304 also shows that while the gateway 105 terminates its connection with the edge forwarding element 132 for a duration of time, the gateway 107 maintains its connection link 310 with this edge forwarding element 132 during this time period. This is because, during this time period, the quality of the network link that is used for the connection link 310 does not degrade to an extent that would require the gateway 107 to terminate this link. Hence, during this period, the edge forwarding element 132 can connect to the virtual network 100 through the gateway 107. Through this connection, the edge forwarding element 132 can continue to receive routes from the gateway 107 for the virtual network 100.

FIG. 4 presents an example that illustrates that after the gateway 105 terminates a connection link 405 with the edge forwarding element 134 for a duration of time, this forwarding element 134 can connect to the virtual network 100 through another connection link 410 with the same gateway 105. This example is illustrated in two stages 402 and 404. The first stage 402 shows the edge forwarding element 134 connecting to the virtual network 100 through two secure connection links 405 and 410 to the gateway 105. In this example, one connection link 405 uses a cable modem to access the gateway 105 through the Internet, while the other connection link 410 uses an MPLS device to reach the gateway 105 through an MPLS network.

The second stage 404 shows the gateway 105 detecting an unacceptable deterioration of service for the connection link 405, terminating this connection link, and rejecting subsequent requests from the edge forwarding element 134 for a duration of time to re-establish this connection link. The gateway 105 takes these actions in order to prevent the weak network connectivity that is used by edge forwarding element 134 for this connection link 405 from adversely affecting the performance of the virtual network.

The second stage 404 also shows that while the gateway 105 terminates its connection link 405 with the edge forwarding element 134 for a duration of time, this gateway 105 maintains its connection link 410 with this edge forwarding element 134 during this time period. This is because, during this time period, the quality of the network link that is used for the connection link 410 does not degrade to an extent that would require the gateway 105 to terminate this link. Hence, during this period, the edge forwarding element 134 can connect to the virtual network 100 through the gateway 105 and the connection link 410. Through this connection link, the edge forwarding element 134 can continue to receive routes from the gateway 105 for the virtual network 100.

FIG. 5 illustrates a process 500 that a gateway periodically performs in some embodiments to maintain its sets of whitelisted connection endpoints and blacklisted connection endpoints. In some embodiments, the gateway performs this process once every N (e.g., 30, 60, 120, 240, etc.) minutes. As shown, the process 500 collects (at 505) network measurements that one or more measurement agents associated with the gateway have produced since the last time that the gateway performed the process 500. These network measurements express the quality of the network connections between the gateway and candidate edge endpoints for the gateway. The candidate edge endpoints for the gateway are specified in terms of their network addresses (e.g., IP addresses) in some embodiments.

The measurement agent set in some embodiments is co-located with the gateway in the same datacenter, so that the measurements that this set produces accurately reflect the network connections that the gateway experiences with its set of candidate edge endpoints. The measurement agent set, in some embodiments, produces a set of network measurements for each candidate edge endpoint for the gateway. For each candidate edge endpoint of the gateway, the measurement agent set produces several different types of network measurements in some embodiments. These measurements include data message delay, data message loss, signal jitter, etc. Examples of taking such measurements are further described in U.S. Pat. No. 9,722,815, which is incorporated herein by reference.

The gateway's candidate edge endpoints are specified in terms of their network addresses (e.g., IP addresses) on a candidate edge endpoint list that the gateway receives from the controller cluster as part of its configuration data. The gateway might have an active connection session with an edge endpoint on this candidate edge endpoint list, in which case the candidate edge endpoint is on the gateway's whitelist of endpoints. Alternatively, a candidate edge endpoint might be on the gateway's blacklist of endpoints when it is a candidate edge endpoint to connect with the gateway, but the gateway has determined that it should not connect to the edge endpoint for a duration of time.

After collecting (at 505) the network measurements, the process selects a candidate edge endpoint that is on its list of candidate edge endpoints. This endpoint might be on the whitelisted endpoint list or the blacklisted endpoint list of the gateway, depending on whether the gateway previously blacklisted the endpoint based on its poor network connection. At 515, the process computes a weighted score for the edge endpoint selected at 510 by using a series of weight values to combine different network measurements that the process has collected for the selected endpoint. In some embodiments, the computed score also accounts for scores that the process 500 previously computed for the selected edge endpoint in its previous iterations. In some such embodiments, the process 500 uses another set of weight values to combine the weighted sum produced with the most recent collected measurements with scores computed for the selected endpoint in the previous iterations of the process 500.

Next, at 520, the process determines whether the selected endpoint has been blacklisted (i.e., whether it is on the gateway blacklist of endpoints). If so, the process determines (at 525) whether the score computed at 515 is now an acceptable score for removing the candidate endpoint from the blacklist. Such a score would indicate that the network connection of the candidate endpoint has improved enough to be considered a good network connection. When the computed score is deemed (at 525) to be acceptable, the process 500 places (at 530) the candidate endpoint on the gateway's whitelist and then transitions to 545. The process also transitions to 545 when it determines (at 525) that the computed score is not acceptable.

When the process determines (at 520) that the selected endpoint has not been blacklisted (i.e., determines that the selected endpoint is on the gateway's whitelist of endpoints), the process determines (at 535) whether the score computed at 515 is still an acceptable score for keeping the candidate endpoint on the gateway's whitelist. When such a score is not acceptable, it would be indicative that the network connection of the selected candidate endpoint has deteriorated too much for it to be considered a good network connection. When the computed score is deemed (at 535) not to be acceptable, the process 500 places (at 540) the candidate endpoint on the gateway's blacklist and then transitions to 545. The process also transitions to 545 when it determines (at 535) that the computed score is still acceptable.

At 545, the process determines whether it has examined all the connection endpoints on its list of candidate endpoints. If not, it returns to 510 to select another candidate endpoint and to repeat its operations for this newly selected endpoint. When the process determines (at 545) that it has examined all the connection endpoints, the process 500 ends.

FIG. 6 illustrates examples of a blacklist 605 and a whitelist 610 of a gateway. As shown, each list specifies an endpoint identifier along with an endpoint network address. As described above, the gateway will reject connection requests from endpoints on the blacklist. The gateway will forgo performing certain operations (e.g., route re-distributions) for endpoints on the blacklist. In other words, the gateway will perform certain operations (e.g., route re-distributions) for endpoints on the whitelist.

FIG. 7 illustrates a process 700 that a gateway performs in some embodiments to establish a secure connection with an edge endpoint of an edge node's forwarding element. As shown, the process 700 starts when the gateway receives (at 705) a connection request from an edge endpoint associated with an edge node's forwarding element. Next, at 710, the process 700 determines whether the edge endpoint is on its blacklist. In some embodiments, the process makes this determination (at 710) by determining whether the network address of the requesting forwarding element is on its blacklist.

If so, the process rejects (at 715) this request, and then ends. Otherwise, the process performs (at 720) a tunnel set-up operation to establish a secure tunnel with the requesting edge endpoint, and then ends. In some embodiments, this tunnel that is defined requires the gateway and the edge endpoint to exchange control signals (e.g., BFD signals) to ensure that the tunnel is operational (i.e., to ensure that the endpoints of the tunnels and their intervening connection are still operational). In other embodiments, the tunnel defined at 720 does not need its endpoints to exchange control signals.

FIG. 8 illustrates a process 800 that a gateway performs to distribute a route to edge forwarding elements. In some embodiments, the gateways perform this operation as they serve as route reflectors that remove or reduce the amount of routes that the edge forwarding elements have to distribute to other edge forwarding elements. In some embodiments, the gateway performs this process 800 each time it identifies that it has received a new route from another device (e.g., another edge forwarding element, another gateway, etc.) for a particular entity. The gateway in some embodiments receives new routes from other devices dynamically through one or more routing protocols, such as standard protocols, like BGP (Border Gateway Protocol) and OSPF (Open Shortest Path First), or proprietary protocols, like VCRP (Velocloud Routing Protocol). VCRP is described in U.S. Published Patent Application 2017/0237710, which is incorporated herein by reference.

In some embodiments, the routes are defined in terms of next-hop forwarding records, with each record having a match criteria and a forwarding network address. In some embodiments, the match criteria can be specified just in terms of a destination IP address, or in terms of additional header values (e.g., other five tuple header values, such as source IP address, source and/or destination port addresses, protocol). After receiving route records through one of the standard or proprietary protocols, the edge forwarding element builds its routing table (e.g., builds it FIB, forwarding information base) based on the received routing tables.

As shown, the process 800 starts when the gateway identifies (at 805) a route to distribute to one or more edge forwarding elements of the particular entity. From the list of active connection sessions that it maintains for the entity, the process then selects (at 810) an edge endpoint that has an active connection session with the gateway. At 815, the process then determines whether this selected edge endpoint should receive the route. The edge endpoint should not receive the route when it is the endpoint that provided the route to the gateway. The particular entity's edge endpoints that are currently blacklisted, and hence do not have current active connection sessions with the gateway, also do not get the route as they are never selected at 810.

If the selected edge endpoint should not receive the route, the process 800 transitions to 825, which will be further described below. Otherwise, the process sends (at 820) the route's information to the selected edge endpoint by using a routing protocol, such as BGP, OSPF, or VCRP. As mentioned above, the route information is distributed as next-hop route records in some embodiments. After 820, the process transitions to 825, where it determines whether it has examined all the edge endpoints associated with its current active connection sessions for the particular entity. If not, the process returns to 810 to select another edge endpoint. Otherwise, the process 800 ends.

In some embodiments, the gateway detects an anomaly in routes that are maintained at a particular edge forwarding element at a particular edge node, and based on this detection, directs the particular edge forwarding element to perform a route reset operation to re-identify routes across the virtual network. The gateway detects the anomaly in some embodiments by detecting a drop in a number of routes maintained at the particular edge forwarding element that is larger than a threshold value.

In some embodiments, the gateway stores an old list of routes that are maintained at the particular edge forwarding element. It then identifies a new list of routes that are maintained at the particular edge forwarding element, and compares these two lists to identify routes in the old list that are not in the new list. When more than the threshold value of routes are missing from the new list, the gateway specifies that an anomaly has been detected. In some embodiments, the gateway obtains the new list of routes from the particular edge forwarding element. Also, in some embodiments, the gateway stores the new list as the old list when changes to the new list do not exceed a threshold value.

In some such embodiments, the detected anomaly can be caused by race conditions that incorrectly cause the particular edge forwarding element to filter out a subset of the routes when synchronizing routes with another device (e.g., routes from another edge forwarding element). A controller cluster in some embodiments can direct one edge forwarding element to establish with another edge forwarding element a tunnel for a direct connection session so that the two edge forwarding elements can forward data messages directly. In some embodiments, edge forwarding elements can be configured in a hub/spoke topology with one edge forwarding element serving as a hub for relaying data messages between the other edge forwarding elements that are deployed as spokes in this topology. When a deployed virtual network includes a hub/spoke topology between some or all of its edge forwarding elements, race conditions that cause one edge forwarding element to filter out or to forgo building its routing table can occur, and this can result in severe degradation of services provided by the edge forwarding elements.

When the particular edge forwarding element performs the route reset operation, the particular edge forwarding element in some embodiments directs all the gateways (including the anomaly-detecting gateway) to which it connects to synchronize the routes that they maintain with the particular edge forwarding element. Conjunctively, or alternatively, the particular forwarding element in some embodiments performs the route reset operation by directing other edge forwarding elements to synchronize the routes that they maintain with the particular edge forwarding element. In some embodiments, these routes are routes identified by one or more other edge forwarding elements and/or one or more gateways.

FIGS. 9-12 illustrate an example of the gateway directing an edge forwarding element to rebuild its route data for a virtual network after detecting an anomaly in the routes maintained by the forwarding element. FIG. 9 illustrates a virtual network 900 that is formed by two gateways 905 and 907 and four edge forwarding elements 930-936 at four edge nodes 920-926. The gateways are deployed in two public cloud datacenters 910 and 912, while the edge nodes are branch offices and/or datacenters of a particular entity (e.g., a particular corporation). Along with the gateways, a cluster of controllers 940 are also deployed in one or both of the public cloud datacenters 910 and 912.

The gateways serve as intermediate forwarding elements to define a path through the virtual network from one edge forwarding element to another edge forwarding element. The gateways also serve as route reflectors in that they distribute to the edge forwarding elements routes that they learn or routes that they obtain from other edge forwarding elements and/or other gateways. The controller cluster 940 in some embodiments provides instructions for directing the edge forwarding elements to connect to certain gateways, while in other embodiments it provides the gateways with instructions to connect to certain edge forwarding elements.

Also, in some embodiments, the gateways and/or controller cluster provide instructions (e.g., configuration data) to direct the edge forwarding elements to form direct connections with each other. In other words, one edge forwarding element in some embodiments can form a direct connection session (one that does not go through a gateway) with another edge forwarding element. In FIG. 9 , the edge forwarding elements 930-932 have a direct connection session between them. Sometimes one edge forwarding element (e.g., an edge forwarding element in a datacenter) operates as a hub in a hub-spoke topology in which the other edge forwarding elements connect directly to it as spokes in the topology.

FIG. 9 shows a routing table 950 of the edge forwarding element 934 as storing twenty routes across the virtual network. Some of these routes traverse through a gateway while other routes traverse through another edge forwarding element that is directly connected to the edge forwarding element 934. As shown, the gateway 905 maintains data regarding these twenty routes that are stored by the edge forwarding element 934. In some embodiments, the gateway simply stores the number of routes maintained by the edge forwarding element 934. In other embodiments, it maintains a duplicate coup of the routes maintained by the edge forwarding element 934. In still other embodiments, it stores other data regarding the routes maintained by the edge forwarding element 934.

FIG. 10 shows the state of the virtual network 900 a period of time later after the time period shown in FIG. 9 . In FIG. 10 , the number of routes that the edge forwarding element 934 stores has dropped to 5. The gateway 905 detects this change, and directs the edge forwarding element 934 to reset its set of routes. FIG. 11 then shows the edge forwarding element 934 directing the gateways 905 and 910 to synchronize the routes that they maintain with the edge forwarding element 934. It also shows these gateways using a route sharing protocol (such as BGP, OSPF, or VCRP) to provide the routes that they learned and/or received with the edge forwarding element 934. FIG. 12 shows the routing table 950 of the edge forwarding element 934 as once again storing twenty routes across the virtual network.

In the example illustrated in FIG. 9-12 , the edge forwarding element 934 performs the route reset operation by directing all the gateways (including the anomaly-detecting gateway) to which it connects to synchronize the routes that they maintain with the edge forwarding element 934. Conjunctively, or alternatively, the edge forwarding element 934 in other embodiments performs the route reset operation by directing other edge forwarding elements to synchronize the routes that they maintain with the particular edge forwarding element.

FIG. 13 illustrates a process 1300 performed by a gateway to detect an anomaly in the set of routes (across the virtual network) that is maintained by an edge forwarding element that has an active connection session with the gateway. The gateway periodically (e.g., once every 5 minutes, 15 minutes, 30 minutes, etc.) performs this process in order to ensure that the edge forwarding element's maintained set of routes have not been corrupted. In some embodiments, this corruption simply entails an unacceptable reduction in the number of maintained routes, while in other embodiments, it entails an unacceptable amount of changes (e.g., additions, modifications, etc.) to the maintained routes.

As shown, the process 1300 starts by the gateway obtaining (at 1305) data regarding the current state of the edge forwarding element's maintained set of routes. In some embodiments, this data is in the form of the number of routes, while in other embodiments the data includes the actual maintained routes. Next, at 1310, the process 1300 compares the current state of the set of routes maintained by the edge forwarding element with the prior state that the gateway obtained in its prior iteration of the process 1300.

This comparison in some embodiments simply entails comparing the current number of maintained routes with the number of maintained routes that it previously identified for the edge forwarding element. In other embodiments, this comparison involves performing a differential synchronization operation (e.g., using Merkel trees) to identify the differences between the current route list and the prior route list obtained from the edge forwarding element.

At 1315, the process determines whether the comparison operation (at 1310) identified changes between the old and current maintained route list that is beyond an acceptable threshold value of change. When just comparing the number of maintained routes, the determination (at 1315) is whether the number of changed routes exceeds a certain acceptable threshold. When the comparison involves comparing actual routes between the old and new lists, the determination (at 1315) involves a determination as to whether the number of changes in the routes exceeds a certain acceptable threshold.

When the process determines (at 1315) that the changes are not beyond an acceptable threshold, the process ends. Otherwise, when the changes are beyond an acceptable threshold, the gateway directs (at 1320) the edge forwarding element to perform a route reset operation, and then ends. As mentioned above, an edge forwarding element performs a route reset operation in some embodiments by directing the gateways, with which it has active connection sessions, to synchronize the routes that they maintain with the edge forwarding element.

In some embodiments, an edge forwarding element, or another module executing on the same device or another device in the forwarding element's associated edge node, performs the process 1300 to detect an anomaly in its maintained list of routes. To do this, the edge node monitoring agent (i.e., the edge forwarding element or the other module operating in its edge node) maintains one or more sets of prior routes of the edge forwarding element. During each check, the monitoring agent compares the prior route set(s) with the current route set of the edge forwarding element to identify any anomaly between the two sets that is beyond an acceptable threshold. Upon detecting this condition, the monitoring agent in some embodiments directs the edge forwarding element to perform a route reset operation to obtain new routes from the gateways. Conjunctively, or alternative, the monitoring agent in some embodiments generates a report to alert an administrator and makes this report available through email or text, and/or through a user interface of a management tool.

Many of the above-described features and applications are implemented as software processes that are specified as a set of instructions recorded on a computer readable storage medium (also referred to as computer readable medium). When these instructions are executed by one or more processing unit(s) (e.g., one or more processors, cores of processors, or other processing units), they cause the processing unit(s) to perform the actions indicated in the instructions. Examples of computer readable media include, but are not limited to, CD-ROMs, flash drives, RAM chips, hard drives, EPROMs, etc. The computer readable media does not include carrier waves and electronic signals passing wirelessly or over wired connections.

In this specification, the term “software” is meant to include firmware residing in read-only memory or applications stored in magnetic storage, which can be read into memory for processing by a processor. Also, in some embodiments, multiple software inventions can be implemented as sub-parts of a larger program while remaining distinct software inventions. In some embodiments, multiple software inventions can also be implemented as separate programs. Finally, any combination of separate programs that together implement a software invention described here is within the scope of the invention. In some embodiments, the software programs, when installed to operate on one or more electronic systems, define one or more specific machine implementations that execute and perform the operations of the software programs.

FIG. 14 conceptually illustrates a computer system 1400 with which some embodiments of the invention are implemented. The computer system 1400 can be used to implement any of the above-described hosts, controllers, gateway and edge forwarding elements. As such, it can be used to execute any of the above described processes. This computer system includes various types of non-transitory machine readable media and interfaces for various other types of machine readable media. Computer system 1400 includes a bus 1405, processing unit(s) 1410, a system memory 1425, a read-only memory 1430, a permanent storage device 1435, input devices 1440, and output devices 1445.

The bus 1405 collectively represents all system, peripheral, and chipset buses that communicatively connect the numerous internal devices of the computer system 1400. For instance, the bus 1405 communicatively connects the processing unit(s) 1410 with the read-only memory 1430, the system memory 1425, and the permanent storage device 1435.

From these various memory units, the processing unit(s) 1410 retrieve instructions to execute and data to process in order to execute the processes of the invention. The processing unit(s) may be a single processor or a multi-core processor in different embodiments. The read-only-memory (ROM) 1430 stores static data and instructions that are needed by the processing unit(s) 1410 and other modules of the computer system. The permanent storage device 1435, on the other hand, is a read-and-write memory device. This device is a non-volatile memory unit that stores instructions and data even when the computer system 1400 is off. Some embodiments of the invention use a mass-storage device (such as a magnetic or optical disk and its corresponding disk drive) as the permanent storage device 1435.

Other embodiments use a removable storage device (such as a floppy disk, flash drive, etc.) as the permanent storage device. Like the permanent storage device 1435, the system memory 1425 is a read-and-write memory device. However, unlike storage device 1435, the system memory is a volatile read-and-write memory, such as random access memory. The system memory stores some of the instructions and data that the processor needs at runtime. In some embodiments, the invention's processes are stored in the system memory 1425, the permanent storage device 1435, and/or the read-only memory 1430. From these various memory units, the processing unit(s) 1410 retrieve instructions to execute and data to process in order to execute the processes of some embodiments.

The bus 1405 also connects to the input and output devices 1440 and 1445. The input devices enable the user to communicate information and select commands to the computer system. The input devices 1440 include alphanumeric keyboards and pointing devices (also called “cursor control devices”). The output devices 1445 display images generated by the computer system. The output devices include printers and display devices, such as cathode ray tubes (CRT) or liquid crystal displays (LCD). Some embodiments include devices such as touchscreens that function as both input and output devices.

Finally, as shown in FIG. 14 , bus 1405 also couples computer system 1400 to a network 1465 through a network adapter (not shown). In this manner, the computer can be a part of a network of computers (such as a local area network (“LAN”), a wide area network (“WAN”), or an Intranet), or a network of networks (such as the Internet). Any or all components of computer system 1400 may be used in conjunction with the invention.

Some embodiments include electronic components, such as microprocessors, storage and memory that store computer program instructions in a machine-readable or computer-readable medium (alternatively referred to as computer-readable storage media, machine-readable media, or machine-readable storage media). Some examples of such computer-readable media include RAM, ROM, read-only compact discs (CD-ROM), recordable compact discs (CD-R), rewritable compact discs (CD-RW), read-only digital versatile discs (e.g., DVD-ROM, dual-layer DVD-ROM), a variety of recordable/rewritable DVDs (e.g., DVD-RAM, DVD-RW, DVD+RW, etc.), flash memory (e.g., SD cards, mini-SD cards, micro-SD cards, etc.), magnetic and/or solid state hard drives, read-only and recordable Blu-Ray® discs, ultra-density optical discs, any other optical or magnetic media, and floppy disks. The computer-readable media may store a computer program that is executable by at least one processing unit and includes sets of instructions for performing various operations. Examples of computer programs or computer code include machine code, such as is produced by a compiler, and files including higher-level code that are executed by a computer, an electronic component, or a microprocessor using an interpreter.

While the above discussion primarily refers to microprocessor or multi-core processors that execute software, some embodiments are performed by one or more integrated circuits, such as application specific integrated circuits (ASICs) or field programmable gate arrays (FPGAs). In some embodiments, such integrated circuits execute instructions that are stored on the circuit itself.

As used in this specification, the terms “computer”, “server”, “processor”, and “memory” all refer to electronic or other technological devices. These terms exclude people or groups of people. For the purposes of the specification, the terms “display” or “displaying” mean displaying on an electronic device. As used in this specification, the terms “computer readable medium,” “computer readable media,” and “machine readable medium” are entirely restricted to tangible, physical objects that store information in a form that is readable by a computer. These terms exclude any wireless signals, wired download signals, and any other ephemeral or transitory signals.

While the invention has been described with reference to numerous specific details, one of ordinary skill in the art will recognize that the invention can be embodied in other specific forms without departing from the spirit of the invention. For instance, several of the above-described embodiments deploy gateways in public cloud datacenters. However, in other embodiments, the gateways are deployed in a third-party's private cloud datacenters (e.g., datacenters that the third-party uses to deploy cloud gateways for different entities in order to deploy virtual networks for these entities). Thus, one of ordinary skill in the art would understand that the invention is not to be limited by the foregoing illustrative details, but rather is to be defined by the appended claims. 

What is claimed is:
 1. A method of maintaining a virtual network that spans at least one cloud datacenter separate from multi-machine edge nodes of an entity, the method comprising: configuring a gateway in the cloud datacenter to establish secure connections with a plurality of edge forwarding nodes at a plurality of sites in order to establish the virtual network; configuring the gateway to distribute route-forwarding records to the plurality of edge forwarding nodes, each edge forwarding node using route-forwarding records to forward data messages received at the edge forwarding node; configuring the gateway to assess quality of a connection link used by each edge forwarding node; and configuring the gateway to forgo distributing any route-forwarding record to a particular edge forwarding node for a duration of time after the assessed quality of the connection link used by the particular edge forwarding node is worse than a threshold value.
 2. The method of claim 1, wherein: the gateway is a first gateway in a first cloud datacenter; and while the particular edge forwarding node does not receive route-forwarding records from the first gateway, the particular edge forwarding node receives route-forwarding records from a second gateway in a second cloud datacenter.
 3. The method of claim 2, wherein to forgo distributing any route-forwarding record to the particular edge forwarding node from the first gateway, the first gateway is configured to forgo establishing secure connections with the particular edge forwarding node for the duration of time.
 4. The method of claim 1, wherein: the particular edge forwarding node connects to a plurality of external networks through a plurality of network links comprising first and second network links; the connection link with the assessed quality worse than the threshold value is the first connection link; and the method further comprises configuring the gateway to distribute route-forwarding records through the second connection link with the particular edge forwarding node when a quality of the second connection link is better than the threshold value.
 5. The method of claim 4, wherein the network links comprise at least two of a broadband commercial Internet link, a wireless telecommunication link, and an MPLS (multi-path label switching) link.
 6. The method of claim 1, wherein configuring the gateway to forgo comprises configuring the gateway to reject secure connection requests from the particular edge forwarding node for the duration of time.
 7. The method of claim 6, wherein configuring the gateway to reject secure connection requests comprises adding the particular edge forwarding node to a blacklist comprising the edge forwarding nodes from which the gateway should not accept secure connection requests.
 8. The method of claim 6 further comprising removing the particular edge forwarding node from the blacklist.
 9. The method of claim 1, wherein configuring the gateway to assess the quality of the connection link comprises configuring the gateway to assess the quality based on at least one of the following attributes of the connection link: packet loss, latency, and signal jitter.
 10. The method of claim 1, wherein the route-forwarding records comprise route-forwarding records identified by other edge forwarding nodes.
 11. The method of claim 10, wherein the route-forwarding records comprise route-forwarding records learned by the gateway.
 12. The method of claim 1, wherein the plurality of sites comprise at least one of branch offices of the entity and datacenters of the entity.
 13. A method of maintaining a virtual network that spans at least one cloud datacenter separate from multi-machine edge nodes of an entity, the method comprising: configuring a gateway in the cloud datacenter to establish secure connections with a plurality of edge devices at a plurality of edge nodes in order to establish the virtual network; configuring the gateway to assess quality of connection links with different edge devices; and configuring the gateway to terminate a secure connection with a particular edge device for a duration of time after the assessed quality of a connection link to the particular edge device is worse than a threshold value.
 14. A non-transitory machine readable medium storing a program for execution by at least one processing unit to maintain a virtual network that spans at least one cloud datacenter separate from multi-machine edge nodes of an entity, the program comprising: a set of instructions for configuring a gateway in the cloud datacenter to establish secure connections with a plurality of edge forwarding nodes at a plurality of sites in order to establish the virtual network; a set of instructions for configuring the gateway to distribute route-forwarding records to particular the plurality of edge forwarding nodes, each edge forwarding node using route-forwarding records to forward data messages received at the edge forwarding node; a set of instructions for configuring the gateway to assess quality of a connection link used by each edge forwarding node; and a set of instructions for configuring the gateway to forgo distributing any route-forwarding record to a particular edge forwarding node for a duration of time after the assessed quality of the connection link used by the particular edge forwarding node is worse than a threshold value.
 15. The non-transitory machine readable medium of claim 14, wherein the gateway is a first gateway in a first cloud datacenter; and while the particular edge forwarding node does not receive route-forwarding records from the first gateway, the particular edge forwarding node receives route-forwarding records from a second gateway in a second cloud datacenter.
 16. The non-transitory machine readable medium of claim 15, wherein to forgo distributing any route-forwarding record to the particular edge forwarding node from the first gateway, the first gateway is configured to forgo establishing secure connections with the particular edge forwarding node for the duration of time.
 17. The non-transitory machine readable medium of claim 14, wherein the particular edge forwarding node connects to a plurality of external networks through a plurality of network links comprising first and second network links; the connection link with the assessed quality worse than the threshold value is the first connection link; and the program further comprises a set of instructions for configuring the gateway to distribute route-forwarding records from through the second connection link with the particular edge forwarding node when a quality of the second connection link is better than the threshold value.
 18. The non-transitory machine readable medium of claim 17, wherein the network links comprise at least two of a broadband commercial Internet link, a wireless telecommunication link, and an MPLS (multi-path label switching) link.
 19. The non-transitory machine readable medium of claim 14, wherein the set of instructions for configuring the gateway to forgo comprises a set of instructions for configuring the gateway to reject secure connection requests from the particular edge forwarding node for the duration of time.
 20. The non-transitory machine readable medium of claim 14, wherein the set of instructions for configuring the gateway to assess the quality of the connection link comprises a set of instructions for configuring the gateway to assess the quality based on at least one of the following attributes of the connection link: packet loss, latency, and signal jitter. 